Information Commissioner’s Office 


Consultation: 


Direct Marketing Code 


Start date: 8 January 2020 


End date: 4 March 2020 


Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico.org.uk 
Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 
email the Direct Marketing Code team. 


Privacy statement 


For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (eg a member of the 
public). All responses from organisations and individuals acting in a 
professional capacity (eg sole traders, academics etc) will be published 
but any personal data will be removed before publication (including 
email addresses and telephone numbers). 


For more information about what we do with personal data please see 
our privacy notice 


Q1 Is the draft code clear and easy to understand? 


Yes - in many places 


X No - but not clear in others 


If no please explain why and how we could improve this: 


Detailed below are specific areas of the draft code, where we believe clarity would be welcomed 
to ensure the code is easier to digest. 


1) Direct Marketing Purposes & PECR/Consent 


The draft code covers in detail that direct marketing is not limited to the actual sending of direct 
marketing communications but also that any activity which leads up to, enables, supports the 
ultimate sending of a direct marketing communication would also fall under the definition of “direct 
marketing purposes” (Page 14). On Page 30 the draft code states: 


“PECR requires consent for some methods of sending direct marketing. If PECR requires 
consent, then processing personal data for electronic direct marketing purposes is unlawful 
under the GDPR without consent. If you have not got the necessary consent, you cannot rely 
on legitimate interests instead. You are not able to use legitimate interests to legitimise 
processing that is unlawful under other legislation.” 


This is similar to guidance previously published by the ICO on Legitimate Interests which states: 


“If e-privacy laws require consent, then processing personal data for electronic direct 
marketing purposes is unlawful under the GDPR without consent. If you have not got the 
necessary consent, you cannot rely on legitimate interests instead. You are not able to use 
legitimate interests to legitimise processing that is unlawful under other legislation.” 


However, the context has now been altered by the draft Code’s clear definition of “direct marketing 
purposes”. 


Many Compliance teams, Data Protection Officers and Marketing teams would not have anticipated 
that, when the ultimate aim is to send an electronic marketing communication (such as a marketing 
email to consumers) all activities enabling this send would also require consent as their lawful basis. 


It is vital for responsible businesses to target their marketing messages effectively, ensuring these 
messages are sent only to those whom the message is relevant. Otherwise they become spam, 
which we must do all we can to prevent. Message targeting activity is clearly a form of profiling 
which is in the interests of both the recipients and businesses. To that end, most message targeting 
for marketing purposes is carried out under legitimate interests, rather than consent. 


If the ICO would expect Consent to be the lawful basis for message targeting, it could be very 
difficult for organisations to adhere to and is likely to have a significant negative impact on consumer 
experience. Furthermore, it is stressed in the draft code that: 


“where possible you should provide granular consent options for each separate type of 
processing (e.g. consent to profiling to better target your marketing or different methods of 
sending the marketing), unless those activities are clearly interdependent — but as a 
minimum you must specifically cover all processing activities”. 


On a practical level, how would the ICO expect businesses to comply with the requirement for 
consent to be granular? 


a) Would it be sufficient to mention targeting (or words to that effect) in the same consent 
request as for sending marketing communications? If so, can you provide an example? 


b) Or would ICO require separate consent for i) message targeting and for ii) sending of 
marketing communications? 
If so, we strongly believe consumers will be confused or overwhelmed by the number 
consent statements/tick boxes they’re presented with. We will damage the consumer’s 
experience when engaging with companies. There is already evidence that consumers 
do not fully understanding cookie consent pop-ups, and this confusion would be 
exacerbated. 


To look at the wider context, profiling is often conducted for a variety of different reasons, including 
direct marketing & essential service messages to customers. To ‘unpick’ profiling, i.e. to restrict 
profiling to consent when it’s carried out for marketing purposes (which require consent under 
PECR), would be incredibly complex to do and it could cost millions in operational change to adapt 
this. 


2) The emphasis on Consent 


Many people’s understanding of GDPR is that the 6 lawful bases are equally valid and that 
organisations should select the most appropriate for the processing activity. This has been reiterated 
in much of the ICO’s previous guidance. 


Back in August 2017 the Information Commissioner stressed this in a widely circulated blog. She 
highlighted, “Consent is one way to comply with the GDPR, but it’s not the only way.” 


We believe the draft code’s emphasis on consent is contrary and confusing in light of previous 
guidance. Ina direct marketing context, the GDPR makes it clear that “The processing of personal 
data for direct marketing purposes may be regarded as carried out for a legitimate interest.” 


There’s a wealth of guidance to support organisations in ensuring they balance their legitimate 
interests. Furthermore, PECR makes the rules very clear where legally consent is a requirement and 
where it is not. The draft code has a ‘good practice recommendation’; 


“Get consent for all your direct marketing regardless of whether PECR requires it or not. This 
gives you the benefit of only having to deal with one basis for your direct marketing as well 
as increasing individuals’ trust and control.” 


This is given far more prominence than other wording in the code that states; 
“It also contains some optional good practice recommendations, which do not have the 
status of legal requirements but aim to help you adopt an effective approach to data 


protection compliance.” 


We do not understand why, if PECR does not legally require consent, that organisations should avoid 
reliance on legitimate interests. In certain situations, legitimate interests may actually be a more 


appropriate lawful basis than consent. 


We do not believe, especially if consent is required for all processing leading up to the sending of a 
communication (e.g. email in B2C context) that this would necessarily increase trust and control. If 
interests are legitimate and meet the transparency requirements, then individuals should always 
have a clear method of objecting. 


3) Cookies 


The draft code is not clear which sections of the guidance applies to cookies (used for marketing 
purposes) and which applies electronic communications (such as email). We believe it would be helpful 
to disentangle the two and give examples. 


4) Intrusive Profiling 


The draft code introduces the concept of “intrusive” profiling. GDPR itself focuses on profiling that 
could result in a ‘legal or similarly significant effect’. We believe this needs some clarification within 
the code as the language used is unclear. The code states: 


“It is unlikely that you will be able to apply legitimate interests for intrusive profiling for 
direct marketing purposes. This type of profiling is not generally in an individual’s reasonable 
expectations and is rarely transparent enough.” 


If an organisation has for example conducted an LIA for profiling activities, this would need to 
include assessing whether such activities were in the reasonable expectations of the individual and 
that there was appropriate transparency. If the conclusion of the LIA was that it was not in the 
reasonable expectations of the individual and there was insufficient transparency, the assessment 
would fail. 


Is the ICO just reiterating this, i.e. profiling that is not transparent and not a reasonable expectation 
would fail an LIA as it would be ‘intrusive’? Or are you suggesting that certain types of profiling 
would by their very nature be more ‘intrusive’ than others? If so, please guide us on types of 
profiling the ICO believes are likely to be intrusive? Clarification would be welcomed. 


5) Intersection between GDPR and PECR 


There’s a lack of clarity in the draft code at present between where GDPR and PECR intersect, 
especially regarding which parts of the code’s guidance is directly applicable / relevant to behavioral 
advertising, social media targeting and in-app messaging. 


6) ‘Refer a Friend’ viral marketing 


For email and SMS messages, the draft code considers that the company sending a ‘Refer a friend’ 
email to their customer is the ‘instigator’ of this communication. Therefore, if the email is forwarded 
on by the recipient to a friend, the company as the ‘institgator’ would not have consent for this 
message. The conclusion is this is impossible to obtain, and therefore such messages would breach 
the rules. 


We do not understand why the company in question would need consent for the “forwarding” of an 
email by an individual, who would surely be acting in their personal ‘household’ capacity. 
Furthermore, the code does not differentiate between a customer being encouraged to forward 
“marketing content” or being encouraged to forward a link. Would you make a distinction between 


these? 


Email recipients are in complete control as to whether they chose to forward a ‘Refer a friend’ 
message or not. They do this in their own personal capacity. Both the customer and the ‘friend’ may 
benefit by receiving a reward. This message from an organisation is not forcing a customer to do 
anything, they always have a choice. It puts them in control and customers are most likely to 
forward when they trust and respect the brand in question. 


7) Third Party Data & Article 14 requirements 


The draft code states, in relation to personal data collected indirectly, that; 


“You must provide privacy information to individuals within a reasonable period and at the 
latest within a month of obtaining their data.” 


Clarity on this point would be welcomed, as there are clearly different interpretations of GDPR at 
play. GDPR (Article 14) states this information must be provided: 


a) within a reasonable period after obtaining the personal data, but at the latest within one 
month, having regard to the specific circumstances in which the personal data are 
processed; 


b) if the personal data are to be used for communication with the data subject, at the latest 
at the time of the first communication to that data subject; or 


c) ifa disclosure to another recipient is envisaged, at the latest when the personal data are 
first disclosed. 


This text has been widely interpreted to mean either a) OR b) OR c) and certainly not that only a) 
applies in all circumstances. This seems to be at odds with GDPR, or an oversight of the flexibility 
which GDPR affords. 


In reality, most communication cycles don’t make contact within 30 days. GDPR would appear to 
allow for a longer period provided the information is provided at the time of the first 
communication. In our view GDPR’s flexibility should be maintained, particularly for businesses 
whose marketing of products and services reflects customer’s annual renewal cycle (such as 
insurance, publishing models) or a longer buying cycle (such as automotive for instance). 


For publicly available data (e.g. edited electoral roll) the draft code is suggesting organisations must 
contact every consumer gathered via such sources. This is simply impractical and could have the 
detrimental effect of consumers being inundated with communications to inform them their data is 
being processed. The ‘benefit’ of this is questionable. 


The exemption for ‘disproportionate effort’ as described in the draft code, would appear to be 
difficult to meet, especially for data brokers. 


8) Third Party Data & Consent 


The draft code includes the following ‘good practice recommendation’: 


“When sending direct marketing to new customers on the basis of consent collected by a 
third party we recommend that you do not rely on consent that was given more than six 
months ago.” 


Although the draft code references “very specific cases”, for example seasonal products or annually 
renewal insurance services, the clear emphasis is on the ‘good practice recommendation’ of six 
months. 


There’s concern this misses the point that for many businesses, for similar reasons as stated above, 
six months is to short. For example, in the insurance industry one might make contact on the month 
prior to the insurance expiring. 


Setting a very specific period for consent like this as a ‘good practice recommendation’ could cause 
more much harm than good. Would it not be better to reinforce existing positive principles 
regarding the controller’s accountability to set their own period for consent, which best fits their 
customers - within the context of the products and services they provide? 


9) Social Media Targeting 


There is some confusion in the section relating to list-based targeting tools for social media. The 
definitions and descriptions of the different tools are generic and unclear. There are situations 
where social media platforms act as Processors as well as situations where they act as Controllers. 
There are also situations where one is able to pseudonymise customer data to effectively create 
cohorts of audiences to match against the social media audience base. It would be useful to highlight 
clearly the need for marketers to examine each of the tools available on each of the platforms and 
carry out an assessment of what is and is not possible rather than generically assume that a 
marketer always requires consent to use these tools. 


Q2 Does the draft code contain the right level of detail? (When 
answering please remember that the code does not seek to 
duplicate all our existing data protection and e-privacy guidance) 


Yes 
xX No 


If no please explain what changes or improvements you would like to 
see? 


We have identified the following areas where it would be helpful to have more detail: 


1) Social Media Targeting 


The example provided in the draft code in relation to “Custom Audiences” is quite specific and 
relates to the uploading of contact details onto a social media platform. The draft code says it is 
likely this would require consent. We would agree, however this fails to address the different types 
of targeting services provided by social media platforms. We suggest that you either provide a 
greater level of granularity to illustrate the range of solutions available or provide guidance on how 
to investigate the different platforms, enabling marketers to make an informed decision about what 
lawful basis can be used. 


2) Third party content within emails 


The draft code provides detailed guidance on ‘hosted’ emails. In our experience marketers are often 
confused regarding third party content within an email. The draft code provides guidance on ‘hosted 
emails’ is not new and organisations should be aware of. 


However, there are many circumstances in which an email from one organisation may include 
promotional content relating to various different organisations. 


For example, an individual signs up to receive holiday offers by email from a named organisation. 
This named organisation which provides this service varies the content and works in partnership 
with other brands to provide a variety of different offers to its audience. 


The partners often change rapidly over time, and the content of each marketing email will not 
necessarily relate to just one brand - therefore it’s not a ‘hosted’ email as described in the code. In 
such circumstances it would not be practical or indeed possible to gain consent from individuals for 
all third parties whose content might be included in the email message. However, it would be 
completely within the reasonable expectations, and to the benefit of individuals to receive different 
holiday offers. Clarity on this type of scenario would be welcomed. 


Q3 Does the draft code cover the right issues about direct marketing? 


xX Yes - to an extent 
No 


If no please outline what additional areas you would like to see 
covered: 


To an extent yes. The traditional direct marketing activities are covered well and in some detail. 
However, given the growth in digital marketing and the rapid adoption of “similar technologies” such 
as web beacons etc. it would be helpful to have more detailed guidance on how these can be used, 
with more examples that cover apps, OOH advertising, Video on Demand, other location-based 
solutions and so on. 


Q4 Does the draft code address the areas of data protection and e- 
privacy that are having an impact on your organisation’s direct 
marketing practices? 


Yes 
No 


Q5 Is it easy to find information in the draft code? 


K Yes 
No 


If no, please provide your suggestions on how the structure could be 


improved: 


Q6 Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code 


Yes 
No 


If yes, please provide your direct marketing examples : 


The DPN would be happy to provide examples, if there are specific areas we’ve highlighted in this feedback 
where the ICO would like to provide an example. 


Q7 Do you have any other suggestions for the direct marketing code? 


Although the ICO indicates that this code needs to be named ‘Direct Marketing Code of Practice’, this terminology is confusing 
for the marketing community. The definition of Direct Marketing as set out by ICO in the draft code is a world away from the 
definition as understood by the marketing industry. “Direct Marketing’ as understood by the marketing community is 
outdated terminology and is therefore discounted as irrelevant. 


If you wish the digital and brand marketers to pay attention to the content of this very useful Code it will be necessary to carry 
out some significant communications to highlight that "Direct Marketing” actually applies to all marketing. Or maybe change 
the name? 

The glossary appears to be incomplete with a very limited list of terms. For instance, the lawful basis “Consent” is included but 
not “Legitimate Interest”. “Intrusive Profiling” is referenced in the document without a definition. 


About you 


Q8 Are you answering as: 


An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

An individual acting in a professional capacity 

On behalf of an organisation 

Other 


Rei: 0 


Please specify the name of your organisation: 


Data Protection Network 


If other please specify: 


The Data Protection Network provides opinion, analysis and resources to both experts and those new to data 
protection. It was founded by the data protection consultancy Opt-4 Ltd. The DPN also works on industry-led 
initiatives and runs regular events/webinars. 


Our advisory board met to discuss the draft code. We also conducted a survey of our subscribers to elicit their 


feedback, which has been included in our response. 


Q9 How did you find out about this survey? 


O ICO Twitter account 
O ICO Facebook account 
O ICO LinkedIn account 


Le) eM AE ESI Tea BR We JIC 


ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 


Personal/work LinkedIn account 


Other Thank you for taking the time to 


| th 
If other please specify: complete the survey 


